[psnosignaluk]

At a company like the one I work for, it's a hill noone can afford to die on. PCI-DSS demands at least some control over employee laptops to ensure that certain secure configuration standards are met. That entails dropping command and control agents on machines. Say what you will about PCI and credit card cartels, but no accreditation, no business.

That said, as I work from home, my work laptop lid remains closed for all but a fortnightly company all-hands meeting, and I ensure that I keep zero personal data on it. I'd be an absolute no if the demand ever morphed to always on video or activity trackers. That's a bridge too far.

As it stands, I understand the need for some policy enforcement/remote control of their assets, but will make whatever moves I must to ensure that policy doesn't infringe on the rest of my environment.

[mschuster91]

> PCI-DSS demands at least some control over employee laptops to ensure that certain secure configuration standards are met.

How does PCI-DSS compliance work in European countries, with GDPR and actual employee rights with teeth and serious fines at play?

[sofixa]

Quite easily actually.

PCI-DSS certified companies ( mostly based on my experience at the one I'm currently employed at in France and things I've heard) have agents on employee laptops, but there's an upfront disclaimer what it does and what data it collects ( close to none - it checks for encryption, password policy, antivirus and stuff like this, but no actual activity data is collected). In some cases work has to be done on a terminal server, so no actual PCI-DSS covered data hits the employee laptops.

And note, there was backlash against the agent being deployed, which was handled with full transparency - the scripts run by the agent are (internally) open source, there were assurances about privacy, etc. Considering the fines possible, and employee representation, employees are generally inclined to trust those assurances.

[detaro]

by not making overly privacy-invasive demands. Lots of security controls don't collect any sensitive information (i.e. verifying the usual security checklist of "fully patched/encrypted/...", 2FA, ...), and the laws generally leave room for those that absolutely need to, if done correctly.